/*     */ package com.zimbra.cs.service;
/*     */ 
/*     */ import com.zimbra.common.account.ZAttrProvisioning.MailSSLClientCertMode;
/*     */ import com.zimbra.common.service.ServiceException;
/*     */ import com.zimbra.common.util.Log;
/*     */ import com.zimbra.common.util.ZimbraLog;
/*     */ import com.zimbra.cs.account.AccountServiceException.AuthFailedServiceException;
/*     */ import com.zimbra.cs.account.AuthToken;
/*     */ import com.zimbra.cs.account.Provisioning;
/*     */ import com.zimbra.cs.account.Server;
/*     */ import com.zimbra.cs.account.auth.AuthContext.Protocol;
/*     */ import com.zimbra.cs.service.authenticator.ClientCertAuthenticator;
/*     */ import com.zimbra.cs.service.authenticator.SSOAuthenticator;
/*     */ import com.zimbra.cs.service.authenticator.SSOAuthenticator.ZimbraPrincipal;
/*     */ import java.io.IOException;
/*     */ import java.util.regex.Matcher;
/*     */ import java.util.regex.Pattern;
/*     */ import javax.servlet.RequestDispatcher;
/*     */ import javax.servlet.ServletContext;
/*     */ import javax.servlet.ServletException;
/*     */ import javax.servlet.http.HttpServletRequest;
/*     */ import javax.servlet.http.HttpServletResponse;
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ public class CertAuthServlet
/*     */   extends SSOServlet
/*     */ {
/*  46 */   private static final Pattern allowedUrl = Pattern.compile("^(/service/certauth)(/|/(admin)(/)?)?$");
/*     */   
/*     */   private static final String MSGPAGE_FORBIDDEN = "errorpage.forbidden";
/*  49 */   private String forbiddenPage = null;
/*     */   
/*     */   public void init() throws ServletException
/*     */   {
/*  53 */     super.init();
/*  54 */     this.forbiddenPage = getInitParameter("errorpage.forbidden");
/*     */   }
/*     */   
/*     */   public void doGet(HttpServletRequest req, HttpServletResponse resp)
/*     */     throws ServletException, IOException
/*     */   {
/*  60 */     ZimbraLog.clearContext();
/*  61 */     addRemoteIpToLoggingContext(req);
/*  62 */     addUAToLoggingContext(req);
/*     */     
/*  64 */     String url = req.getRequestURI();
/*  65 */     Matcher matcher = allowedUrl.matcher(url);
/*     */     
/*  67 */     boolean isAdminRequest = false;
/*  68 */     if (!matcher.matches()) {
/*  69 */       String msg = "resource not allowed on the certauth servlet: " + url;
/*  70 */       ZimbraLog.account.error(msg);
/*  71 */       sendback403Message(req, resp, msg);
/*  72 */       return;
/*     */     }
/*  74 */     if ((matcher.groupCount() > 3) && ("admin".equals(matcher.group(3)))) {
/*  75 */       isAdminRequest = true;
/*     */     }
/*     */     
/*     */     try
/*     */     {
/*  80 */       SSOAuthenticator authenticator = new ClientCertAuthenticator(req, resp);
/*  81 */       SSOAuthenticator.ZimbraPrincipal principal = null;
/*     */       
/*  83 */       principal = authenticator.authenticate();
/*  84 */       AuthToken authToken = authorize(req, AuthContext.Protocol.client_certificate, principal, isAdminRequest);
/*  85 */       setAuthTokenCookieAndRedirect(req, resp, principal.getAccount(), authToken);
/*  86 */       return;
/*     */     }
/*     */     catch (ServiceException e) {
/*  89 */       String reason = "";
/*  90 */       if ((e instanceof AccountServiceException.AuthFailedServiceException)) {
/*  91 */         reason = ((AccountServiceException.AuthFailedServiceException)e).getReason(", %s");
/*     */       }
/*  93 */       ZimbraLog.account.debug("client certificate auth failed: " + e.getMessage() + reason, e);
/*     */       
/*  95 */       dispatchOnError(req, resp, isAdminRequest, e.getMessage());
/*     */     }
/*     */   }
/*     */   
/*     */ 
/*     */   public void doPost(HttpServletRequest req, HttpServletResponse resp)
/*     */     throws ServletException, IOException
/*     */   {
/* 103 */     doGet(req, resp);
/*     */   }
/*     */   
/*     */   private void dispatchOnError(HttpServletRequest req, HttpServletResponse resp, boolean isAdminRequest, String msg)
/*     */     throws ServletException, IOException
/*     */   {
/* 109 */     if (missingClientCertOK()) {
/*     */       try {
/* 111 */         redirectToErrorPage(req, resp, isAdminRequest, null);
/*     */       } catch (ServiceException e) {
/* 113 */         ZimbraLog.account.error("failed to redirect to error page (" + msg + ")", e);
/* 114 */         sendback403Message(req, resp, msg);
/*     */       }
/*     */     } else {
/* 117 */       sendback403Message(req, resp, msg);
/*     */     }
/*     */   }
/*     */   
/*     */ 
/*     */   private void sendback403Message(HttpServletRequest req, HttpServletResponse resp, String msg)
/*     */     throws ServletException, IOException
/*     */   {
/* 125 */     if (this.forbiddenPage != null) {
/*     */       try
/*     */       {
/* 128 */         RequestDispatcher dispatcher = getServletContext().getRequestDispatcher(this.forbiddenPage);
/* 129 */         if (dispatcher != null) {
/* 130 */           dispatcher.forward(req, resp);
/* 131 */           return;
/*     */         }
/*     */       } catch (IOException e) {
/* 134 */         ZimbraLog.account.warn("unable to forward to forbidden page" + this.forbiddenPage, e);
/*     */       } catch (ServletException e) {
/* 136 */         ZimbraLog.account.warn("unable to forward to forbidden page" + this.forbiddenPage, e);
/*     */       }
/*     */     }
/*     */     
/*     */ 
/* 141 */     resp.sendError(403, msg);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */   private boolean missingClientCertOK()
/*     */   {
/*     */     try
/*     */     {
/* 151 */       Server server = Provisioning.getInstance().getLocalServer();
/* 152 */       ZAttrProvisioning.MailSSLClientCertMode mode = server.getMailSSLClientCertMode();
/* 153 */       if (mode == ZAttrProvisioning.MailSSLClientCertMode.WantClientAuth) {
/* 154 */         return true;
/*     */       }
/*     */     } catch (ServiceException e) {
/* 157 */       ZimbraLog.account.debug("unable to get local server", e);
/*     */     }
/* 159 */     return false;
/*     */   }
/*     */   
/*     */   protected boolean redirectToRelativeURL()
/*     */   {
/* 164 */     return false;
/*     */   }
/*     */ }


/* Location:              /home/mint/zimbrastore.jar!/com/zimbra/cs/service/CertAuthServlet.class
 * Java compiler version: 7 (51.0)
 * JD-Core Version:       0.7.1
 */